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REMARKS 

By way of the foregoing amendments to the claims, claims 1 , 2, 4, and 6-9 have been 
amended to delete multiple dependencies and to make minor editorial changes. New claims 
10-18 have been added. No new matter has been introduced by these changes. 

Attached is a substitute specification which has been amended to reflect the above 
mentioned changes. Accompanying the substitute specification is a marked-up copy of the 
specification showing the changes that have been made. No new matter has been 
introduced by any of the changes presented in this Preliminary Amendment. 

It is requested that the application be examined on the basis of the claims as 
amended. 

Early and favorable consideration with respect to this application is respectfully 
requested. 

Should any questions arise in connection with this application, the undersigned 
respectfully requests that he be contacted at the number indicated below. 
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Method and associated device for generating random 
numbers in a given range 

This disclosure is based upon French Application 
5 No. 0312435 filed October 24, 2003 and International 
Application No. PCT/FR2004/050510, filed October 18, 
2004, the contents of which are incorporated herein by 
reference . 

10 BACKGROUND OF THE INVENTION 

The invention concerns a method of obtaining a 
random number between A and B from a generator 
producing random numbers lying between 0 and W-l, with 
N the size of the numbers produced by the generator, W- 

15 1 the maximum value taken by the random numbers 
produced, with for example W = 2 N and A, B any integer 
numbers, less than or greater than the number W. 

Such a situation occurs for example in an 
electronic component adapted to perform cryptographic 

20 calculations and comprising an N-bit random number 
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generator, for example N = 8. The random numbers that 
it can produce are thus between 0 and W-l = 255, whilst 
it would be desirable to have random numbers between 
for example 0 and 100 or between 300 and 10000. It 
5 should be noted that it suffices to determine numbers 
between 0 and 9700 and then to add 300 to the number 
obtained in order finally to obtain a number between 
300 and 10000. 

Such a situation is found in practice in the 

10 majority of cryptographic applications, for example the 
DSA signature, the El Gamal signature or enciphering, 
the development of countermeasures against various 
attacks, etc. 

Several methods are already known for producing 

15 random numbers R between 0 and K from numbers between 0 
and W-l. These methods are in general implemented by 
software means used to control on the one hand a 
hardware generator that produces random numbers of size 
N and on the other hand calculation means performing in 

20 particular multiplication, addition, etc operations. 

A first known method comprises the following 

steps : 

a) determining the smallest integer number p such 
that K < WP - 1, 

25 b) producing p random numbers S 0 , S, . . . , S p _i and 

P -\ 

forming the variable S = ^S i *W i 

c) if S > K, then returning to step b) , otherwise 
putting R = S 
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R is the random number sought, between 0 and K. 
p-i 

The equation S = y £S i *W is a representation of the 

i=0 

variable S decomposed/recomposed in base (W p_1 , . .., W 1 , 
W°) . It would also be possible to note S = 

5 Sp-iSp-2 . . . SiSo, a notation commonly used. 

A second known method comprises the following 

steps : 

a) determining the smallest integer number p such 
that K < WP - 1, 

10 b) producing p random numbers So, S, . . . , S p _i and 

forming the variable T = ^ i S i *W i and S = T + Sp.^W 1 ?" 1 

f=0 

c) if S > K, putting R = T otherwise putting R = 

S 

A third known method comprises the following 

15 steps: 

a) determining the smallest integer p such that K 
< WP - 1, 

b) producing p random numbers So, S, . .., S p _i and 

forming the variable S = ^S*W l 

20 c) putting R = S mod(K+l), that is to say the 

remainder of the whole-number division of S by K+l, 
also referred to as modular reduction of S by K+l. 

These three methods can be summarised by the 
following steps : 
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a) producing p random numbers So, S, . .., S p -i, 
being the smallest integer number such that K <W P - 1 

and forming the variable S = / j S i *W 

b) determining the random number R from the 
5 variable S. 

According to circumstances, during step b, R is 
obtained from S by repeating step b (first method), 
taking account or not of the additional random number 
Sp-i (second method) or performing a modular reduction 

10 (third method) . 

It should be noted that, in the three methods, if 
a number between A and K+A is required, it suffices to 
add A to the number R obtained lying between 0 and K. 

The main drawback of the first method is a 

15 particularly long and especially unpredictable 
calculation time: the step of producing the p random 
numbers may be repeated numerous times without it being 
possible to predict at the start the number of 
'repetitions of this step. 

20 The second and third methods have the main 

drawback of producing random numbers exhibiting a bias: 
amongst the numbers R produced in the range [0, K] , 
certain values are more probable than others. In other 
words, the numbers R produced are not perfectly random 

25 (non-uniform distribution) . This bias may have 

significant consequences on the security of the 
cryptographic systems liable to implement these methods. 
The security of cryptographic systems assumes in fact 
that the random numbers that they use are uniformly 
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distributed (or at least close to a uniform distribution) 
in the range [0, K] or [A, K+A] wished for. 

Finally, the three methods are slow overall 
because they implement operations on large numbers, of 
5 size N (in the sense of the number of bits) greater than 
the size of the circuits used for the implementation. 
This is because the number K in particular is any number 
and can be greater than W and therefore of size greater 
than N . The variable S can also be of large size. 
10 However, the implementation of operations on large 
numbers requires the implementation of complex methods 
expensive in terms of calculation time. 

DESCRIPTION OF THE INVENTION 

15 An essential object of the invention is to 

propose a method of constructing a random number R that 
is particularly rapid. 

Thus the invention proposes a cryptographic 
method during which use is made of a random number 
20 generator producing random numbers Si of size N fixed 
between 0 and W-l, with for example but not necessarily 
W = 2 N , in order to produce a random number R between 0 
and a predefined limiter K. 

The essential basic steps of a method according 
25 to the invention are as follows: 

E31: a random variable Si between 0 and W-l is 
produced, 

E32: if the random variable Si is strictly less 
than a coefficient Ki of the limiter K in base W, then 
30 the coefficient R± of rank i of the random number R is 
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equal to the random variable Si and then, for any rank J 
less than i, a random variable Sj between 0 and W-l is 
produced and Rj = Sj, 

E33: otherwise, if the said random variable is 
5 greater than the coefficient Ki of rank i of the limiter 
K in base W, then the said coefficient R ± is determined 
from the random variable Si of rank i according to a 
predetermined function, and then the coefficient Ri-i is 
determined for the random number R of rank i-1 that is 

10 immediately lower by repeating steps E31 to E33. 

Thus, in a method according to the invention, the 
coefficients Ri of the random number R required are 
sought one by one, commencing with the most significant 
coefficient R p -i . The physical generator of random 

15 numbers used thus produces random variables Si one by 
one, one variable at each iteration. 

In addition, the method is rapid since step E33 is 
executed a small number of times. This is because, as 
soon as one of the variables Si produced by the physical 

20 generator is less than the associated coefficient Ki of 
the limiter K, the method no longer requires the 
processing of the variables Sj of rank less than i: thus 
a small number of coefficients of the number R, the most 
significant, are calculated the most often. 

25 Finally, compared with the known methods, a 

method according to the invention has the advantage of 
working on numbers of no more than N bits, N being the 
size of the registers and other calculation circuits of 
the devices used for implementation. For example, if W 

30 is equal to S N , the coefficients Ki resulting from the 
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decomposition of K in base (W p-1 , . . . w 1 , W°) are 
necessarily less than W and therefore with a size of no 
more than N bits. Likewise, the random variables Si 
produced by the physical random number generator are 
5 also of N bits. 

By adding to the essential basic steps an 
initialisation step and a step of recombination of the 
random number R, there are obtained: 

El: the limiter K is decomposed in base (W p_1 , W p ~ 2 

10 . .., W°) (K = ]T i K i *W i or K = K p " 2 ... K 1 ^) , i being a 

/=o 

loop index, K± being a coefficient of the limiter K of 
rank i between 0 and W-l and p being the degree of the 
limiter K, 

E2 : a Boolean variable f is initialised to TRUE, 
15 E3: the following operations are performed, in a 

loop indexed by i, i being an integer varying between 
p-1 and 0: 

E31: a random variable Si between 0 and W0-1 
is produced, 

20 E32 : if the random variable Si is strictly 

less than the coefficient Ki of rank i, then the 
Boolean variable f is set to FALSE, 

E33_l: if the random variable Si is strictly 
greater than the coefficient Ki of rank i and the 
25 Boolean variable f is TRUE, then the coefficient R± 

of rank i is determined from the random variable Si 
of rank i according to a predefined function, 
E33_2: otherwise Ri = Si 
E34 : the loop indexed i is decremented, 
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E4: the random number R is determined by 
recombination of the random coefficients Ri in base 



In concrete terms, as soon as the Boolean 
variable f is positioned at FALSE, it remains at this 
value since provision is not made for repositioning it 
at the value TRUE, except when E2 of the method is 
initialised. Step E32 is executed only if the variable 
f is TRUE; thus, as soon as the variable f is 
positioned at the value FALSE, step E33_l is no longer 
executed and the method according to the invention ends 
rapidly. 

A second objective of the invention is to propose 
a method of constructing random numbers whose 
distribution is uniform or can be made as close as 
desired to a uniform distribution. This objective is 
achieved by choosing a suitable function for the 
determination of the coefficient Ri from the random 
variable Si. 

According to a first embodiment of the method 
according to the invention, in order to determine the 
coefficient Ri of rank i from the random variable Si of 
rank i (step E33_l), the following substeps are 
performed: 

E33_ll: if the random variable Si is strictly 
greater than the coefficient Ki of the limiter K, then a 
new random variable Si is produced, 

E33_12: step E33_ll is repeated until the random 
variable Si is less than the coefficient Ki of the 




R 1 R°) . 
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limiter K, and then the coefficient Ri is equalised to 
the random variable Si. 

In such an embodiment, all the coefficients Ri 
obtained are numbers directly produced by the hardware 
5 random number generator; and these coefficients are 
therefore perfect and the number R which results 
therefrom is also perfect. In other words the 

distribution obtained of the numbers R is uniform in 
the range [0, K] . 

10 According to a second embodiment, during step E33 

the coefficient Ri of rank i is chosen so as to be equal 
to part of the random variable Si, a part less than the 
coefficient Ki . The, said part corresponding in one 
example to a limited number of bits of the variable Si. 

15 According to a third embodiment, during step E33 

the random variable Si is reduced modulo Ki+1, the 
results of the reduction being the coefficient Ri 
sought . 

These latter two embodiments are rapid compared 
20 with the known methods, essentially because the work is 
done on small numbers. The distributions of random 
numbers obtained are however not uniform: the simple 
fact of truncating the variable Si or performing a 
reduction modulo Ki+1 necessarily introduces a bias. 
25 However, this bias is less compared with the methods of 
the prior art. 

Moreover, it is possible to reduce the bias of 
the methods according to the second and third 
embodiments proposed, as will be seen below. 
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In a method according to the invention as 
described above, a random number R is constructed less 
than K from variables Si of size N produced by a 
perfectly random physical generator. The number R 
5 obtained is biased, but the bias is small compared with 
a known method. 

For this, in the second or third embodiment, a 
coefficient Ri < Ki is constructed, in particular during 
step E33_l, from variables Si of size N. In order to 
10 reduce the bias introduced on the coefficient Ri, it is 
proposed to construct it using the same steps El to E3 
as for constructing the number R. In a sense, two 
similar methods are "interleaved". This makes it 

possible to reduce further the size of the numbers on 
15 which the work is carried out, and consequently to 
reduce further the bias on the coefficient of R, and on 
the final number R. 

In concrete terms, in order to determine the 
coefficient Ri of rank i from the random variable S± of 
20 rank i (step E33_l) , steps El to E4 are executed using 
a base (P* 3-1 , P°) as the calculation base, P being 

an integer number strictly less than W and q being the 
degree of Ki in base p. 

Step E33 is thus broken down into the following 
25 substeps: 

E33_41: the coefficient Ki of rank i of the 

limiter K in base (p q "\ P°) ( K x = Y*( K ih * P J or K ^ = 

y=o 

(Ki) q -i . . . (Ki) i (Ki) 0 ) / j being a loop index, (Ki)j being a 
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number between 0 and 0-1 and q being a degree of the 
coefficient Kj., is decomposed, 

E33_42: a second Boolean variable g is 
initialised to TRUE, 
5 E33_43: the following operations are performed, 

in a loop indexed by j varying between q-1 and 0: 

E33_431: a random variable (Si)j between 0 
and P~l is produced, 

E33_432: if the random variable (Si)j is 
10 strictly less than the coefficient (Ki)j, then the 

second Boolean variable g is set to FALSE, 

E33_4331: if the random variable (Si)j is 
strictly greater than the coefficient (Ki)j and the 
second Boolean variable g is TRUE, then a 
15 coefficient (Ri)j is determined from the random 

variable (Si)j according to a predefined function, 
E33_4332: otherwise, (R±)j = (Si)j 
E33__434: the loop indexed j is decremented, 
E33_44: the random number Ri is determined by 
20 recombination of the random coefficients (Ri)j in base p 

q-l 

or Ri = (Ri) q -i.. . (Ri)i(Ri)o) . 

As has just been seen above, by '"interleaving" 
two methods, the bias of the random numbers R produced 
by the global method is reduced, whilst preserving a 
25 rapid global method. It is of course possible to 
imagine "interleaving" more than two methods, for 
example three or four, by decomposing, in step E33_43, 
the numbers in base y < p, and decomposing step E33_43 
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in a succession of steps similar to steps E33_41 to 
E33_43. 

In general terms, the more methods are 
"interleaved 7 ', the smaller the numbers on which the 
5 work is carried out: the duration of each step 
decreases and the bias of the numbers produced by the 
global method also decreases. 

Another object of the invention is an electronic 
component adapted for implementing the method as 
10 described above. Such a component comprises in 

particular a generator producing random numbers of size 
N, and calculation circuits for performing operations 
on numbers of no more than N bits. 

According to the embodiment of the method to be 
15 implemented, the calculation circuits are adapted to 
perform operations of comparing two numbers, number 
truncation and modular reduction. 

The random number generator and the calculation 
circuits are preferably controlled by a software means 
20 stored in a memory of the component provided for this 
purpose . 

The invention also concerns a chip card 
comprising an electronic component as described above. 
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CLAIMS 

1. A cryptographic method during which use is 
made of a random number generator producing random 

5 numbers S± of size N fixed between 0 and W-l, in order 
to produce a random number R between 0 and a predefined 
limiter K, characterised in that: 

E31: a random variable Si between 0 and W-l is 
produced, 

10 E32 : if the random variable Si is strictly less 

than a coefficient Ki of the limiter K in base W, then 
the coefficient R± of rank i of the random number R is 
equal to the random variable Si and then, for any rank J 
less than i, a random variable Sj between 0 and W-l is 

15 produced and Rj = Sj, 

E33: otherwise, if the said random variable is 
greater than the coefficient Ki of rank i of the limiter 
K in base W, then the said coefficient R A is determined 
from the random variable Si of rank i according to a 

20 predetermined function, and then the coefficient Ri_i is 
determined for the random number R of rank i-1 that is 
immediately lower by repeating steps E31 to E33. 

2. A method according to claim 2, during which 
the following steps are performed: 

25 El: the limiter K is decomposed in base (W 9 " 1 , W p ~ 2 

W°) in the form K-^^K^W 1 , i being a loop index, 

i=0 

Ki being a coefficient of the limiter K of rank i 
between 0 and W-l and p being the degree of the limiter 
K, 
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E2 : a Boolean variable f is initialised to TRUE, 
E3 : the following operations are performed, in a 

loop indexed by i, i being an integer varying between 

p-1 and 0: 

5 E31: a random variable Si between 0 and W0-1 

is produced, 

E32 : if the random variable Si is strictly 

less than the coefficient K ± of rank i, then the 

Boolean variable f is set to FALSE, 

10 E33_l: if the random variable Si is strictly 

greater than the coefficient Ki of rank i and the 

Boolean variable f is TRUE, then the coefficient Ri 

of rank i is determined from the random variable Si 

of rank i according to a predefined function, 

15 E33_2: otherwise Ri = Si 

E34: the loop indexed i is decremented, 

E4 : the random number R is determined by 

recombination of the random coefficients Ri in base W 

P -\ 

according to the equation: R = ^R i *JV l . 

i=0 

20 3. A method according to claim 2, during which, 

in order to determine the coefficient Ri of rank i from 
the random variable Si of rank i (steps E33_l and 
E33_2), the following substeps are performed: 

E33_ll: if the random variable Si is strictly 
25 greater than the coefficient Ki of the limiter K, then a 
new random variable Si is produced, 

E33_12: step E33_ll is repeated until the random 
variable Si is less than the coefficient Ki of the 



15 



limiter K, and then the coefficient Ri is equalised to 
the random variable Si. 

4. A method according to claim 2, during which 
the coefficient Ri of rank i is chosen (steps E33-1 and 

5 E33_2) equal to the part of the random variable Si, the 
part less than the coefficient Ki, the said part 
corresponding to a limited number of bits of the 
variable Si. 

5. A method according to claim 2, during which, 
10 in order to determine the coefficient Ri of rank i from 

the random variable S± of rank i (step E33) , the random 
variable Si is reduced modulo Ki+1, the result of the 
reduction being the coefficient sought. 

6. A method according to one of claims 1 to 5, 
15 during which, in order to determine the coefficient Ri 

of rank i from the random variable Si of rank i (step 
E33), steps El to E4 are executed using a base (P q_1 , 
P°) as the calculation base, p being an integer 
strictly less than W and q being the degree of k in 
20 case p. 

7. A method according to claim 6, in which step 
E33 is broken down into the following substeps : 

E33_41: the coefficient Ki of rank i of the 
limiter K in base (p q_1 , P°) in the form 

25 K y =2_ J {K i ) j *p j , j being a loop index, (K ± )j being a 

number between 0 and p-1 and q being a degree of the 
coefficient Ki, is decomposed, 
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E33_42: a second Boolean variable g is 
initialised to TRUE, 

E33_43: the following operations are performed, 
in a loop indexed by j varying between q-1 and 0: 
5 E33_431: a random variable (Si)j between 0 

and p-1 is produced, 

E33_432: if the random variable (Si)j is 
strictly less than the coefficient (Ki)j, then the 
second Boolean variable g is set to FALSE, 
10 E33_4331: if the random variable (S±)j is 

strictly greater than the coefficient (Ki)j and the 
second Boolean variable g is TRUE, then a 
coefficient (Ri)j is determined from the random 
variable (Si)j according to a predefined function, 
15 E33_4332: otherwise, (Ri)j = (Si) j 

E33_434: the loop indexed j is decremented, 
E33_44: the random number R± is determined by 
recombination of the random coefficients (Ri)j in base P 



according to the equation: R { =^ j (R i ) J * J3 J 



7=0 

20 8. An electronic component comprising a 

generator of random numbers of size N, calculation 
circuits performing in particular a comparison, a 
truncation and/or a modular reduction on numbers of no 
more than N bits, and a means of controlling the random 

25 number generator and calculation circuits, the said 
control means being adapted for implementing a method 
according to one of claims 1 to 7 . 
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9. A chip card comprising an electronic 
component according to the preceding claim. 
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ABSTRACT 

The invention relates to a cryptographic method wherein 
a random number generator producing random numbers Sj 
5 whose size N is fixed between 0 and W-l is used to 

produce a random number R between 0 and a predefined 
limiter K. According to the invention: E31: a random 
variable Sj is produced, ranging from O-W-l , E32 : if the 
random variable Sj is strictly lower than a coefficient 

10 Kj of the limiter K in base W, the coefficient Rj of 

order i of the random number R is equal to the random 
number S± then, for all orders j which are lower than i, 
a random variable Sj of O-W-l is produced and Rj=Sj . 
E33: unless, if said random variable is greater than 

15 coefficient Kj of position i of the limiter K is base W, 
whereupon said coefficient Rj is determined on the basis 
of the random variable Si of order i according to a 
predetermined function, then a coefficient Rj-i is 
determined for the random number R of order i-1 which 

2 0 is immediately lower by repeating stages E31 ~ E33. 

The invention also relates to an electronic component 
which is adapted for implementation of said method and 
a chip card with said component integrated therein. 
The invention can be applied to cryptographic 

25 calculation. 



